I don't know if I'd brag about my tenure there in the context of selling security consulting.

This.

Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.
Capable of searching emails to fulfill a court order for information? Fail.
Bringing a basic (if high-end) new datacenter online? Fail (for not securing a reliable source of electricity).
Obeying the rules that govern their core mission? Fail.
Performing their core mission? Fail.

No doubt, the NSA remains every bit as scary as ever, but in more of a "CIA goon" sense than their traditional so-flawlessly-smooth-you-won't-even-know-what-happened reputational sense.

It seems to me that the entire purpose of any secret government agency is to benefit the secret government agency.

Michael Moore is a self-taught movie maker. His movie about U.S. government corruption in secret agencies, Fahrenheit 9/11 [boxofficemojo.com], made $222,446,882. It's not like extreme U.S. government corruption is unknown.

There is a HUGE conflict of interest, and the U.S. government seems to have no influential methods of dealing with conflicts of interest. If there is security, people who work for the NSA are less likely to be promoted, and may lose their jobs. That is a powerful reason for NSA employees and management, and other secret U.S. government agencies, to create more insecurity. Since they work entirely in secret, no one can stop them.

U.S. government policies allow many secret agencies. I find it odd that news stories assume that, other than doing things that almost no citizens want, the secret agencies are otherwise well-managed. Numerous examples show that they aren't. For example, Edward Snowden [wikipedia.org], an employee of an NSA sub-contractor, was able to walk away with all the data.

To me, it is also odd that news stories assume that the NSA works to improve security of the U.S. and U.S. citizens. For example, the book House of Bush, House of Saud [wikipedia.org] explains that the Bush and Cheney families worked for the Saudis, who paid them billions for their help. The U.S. taxpayer paid for the arms, military presence, and violence that supposedly was free security for the Saudi government, but actually was, as Saudi acquaintances I met in a gym said long before the 9/11 attack, Saudi government oppression of the Saudi people.

Why does the NSA record phone calls? Is it because learning about some of those calls makes money for someone in control? Investment information, perhaps?

Detecting and stopping an insider from downloading a library of proprietary/classified info outside their job description? Fail.

It seems like a lot of people seem to have ignored the detail that Snowden picked Hawaii because it didn't have access controls yet.

The NSA and DoD have been rolling out software upgrades across their facilities specifically to prevent another Manning.Hawaii was not upgraded, Snowden knew this, and he used this knowledge to pilfer data without restrictions.

You'd have to be a fool to think the NSA would keep dumping money and resources into programs that weren't yielding good intel.

I think you're the fool if you really think that. think about it. nobody, really nobody(is supposed to), is going to find out about the quality of the intel. people involved with the decisions are gettin money from the money dumping. so you really think they wouldn't keep dumping money and resources into programs that weren't producing good intel? they could always even argue to themselves that whatever bullshit program they're in charge of _might_ yield some intel some day maybe and thus it's worth dumpin

Actually I'm going to disagree with you there. Yes, Snowden was a loss for the NSA, but not a fatal loss.

Gen. Alexander presided over and participated in an epic expansion of the NSA budget, mandate, and importance. They achieved the nirvana of government existence: To become a mover and shaker. The NSA now overshadows the CIA and FBI in importance.

The Snowden disclosures threaten that status, but notice that none of the limitations on the NSA have actually happened yet. Lots of talk but little action. The government likes it's pervy magic database of secrets and private communications. Sure it's constitutionally infringing but hey, terr'ists!!

And even if the golden age of spying winds up being curbed, Gen. Alexander can always find a way to blame someone else, or say "it' was one unfortunate mistake, lessons were learned, I wasn't properly informed, etc."

That's perhaps what they think but it's a questionable. Without his disclosures they would never have fixed their utterly ridiculous internal security. If it took just one external consultant to grabb all this information, they cannot seriously believe that a foreign intelligence agency hadn't been capable of doing the same.

What is strange is that neither Clapper nor Alexander are being prosecuted for Contempt of Congress.

I was going to write a reply saying the banking industry comprises private--not government--money. But hilarity ensued as I struggled to word my post carefully enough to defeat trolls telling me I was overlooking the bank bailouts of half a decade ago. After a while I realized I couldn't make my case and decided you're right--it is government spending.

So congrats on being even more cynical than I am. Care for an ennui contest?

THe banking industry is probably wanting a step up in security, while the NSA under Alexander had horrible internal security. Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure.

Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure.

It sure is a good thing that the banking industry is a bunch of totally upstanding, honest, guys, steeped in a culture of prudent moderation, who definitely wouldn't have any interest in the potential applications of NSA-tested 'tailored access operations' for shareholder value, enhanced lobbying, and other exciting things; or the colossal hubris necessary to not even think twice about doing so.

"THe banking industry is probably wanting a step up in security, while the NSA under Alexander had horrible internal security. Alexander's forte seems to be using brute force to break the security of others, not actually keeping an organization secure."Perhaps that's his pitch?

The best defense is a good offense. Instead of fixing your security flaws, just make sure that getting to important systems will take some time, and be detected. Then wait for attacks to start, counterattack, and wipe out the attacker

The sort of services being offered are easily worth USD $1M/month when you consider who the clients are, the scale of their operations, the degree to which their systems are interconnected with those of other institutions (large and small), and the complexities involved with regulatory/legal/reputation compliance and management. Risk management and threat analysis are not simple subjects.

So the poor general can't participate in the usual dance of former Washington insiders who use cronyism and connections to enrich themselves after 'serving' in government?

There should be a name for that... like 401(c)... where c stands for crony capitalism.

What's more hilarious is that, apparently, the only thing to General Alexander's credit as head of the NSA was his ability to keep secrets. He was literally "the most powerful cyber-lord in the world" (for lack of a better term) and his only qualification was keeping secrets? He didn't bring anything to the table in terms of management skills, best practices, or good judgement via foresight? Because that's what you have to read into a statement like "..Without the classified information he acquired in hi

It's also blatantly not true. Even if he learned about some hundreds of network and OS vulnerabilities because he authorized NSA branded custom exploits to use them, the knowledge of the vulnerabilities is not classified, only the behavior of the NSA proprietary exploit tools. As long as he is fixing the exploits and not just tweaking them so the NSA toys can't use them (until the next internal revision), his knowledge is fair game for him to use for personal profit.

Exactly my point... If you learn a skill at your job, your employer cannot strip you of that skill when you leave.

Obviously selling government secrets is different from saying here's how you implement industry best practices to create security processes.

If the government had a secret security-bypassing technique, and had educated him on its use, he may or may not be obligated under his new employer to close the hole. And as a constituent of that government, I would approve of that use of that information.

Given all the things the "NSA cannot tell Congress" that are secret I'd think that most information this guy has is not usable. Because anything you learn working for the NSAis by definition secret until explicitly declassified...

If he simply inspected their systems, fixed any holes he knew about, provided no information to the bank about what he had done except a note to say "your system is now more secure" that might be okay.

That assumes that the existing client staff wouldn't have a clue about how to compare the systems baselines before his security changes with the state of the systems after. The diffferences between the two states would contain the "secret".

It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.

Nope. I've talked about this with many lawyers. It varies by state. In CA, non-compete clauses are basically unenforceable. In TX, where I live, they're the law of the land.

-Chris

You need to talk to a better attorney then (if you're near Austin I can recommend Tom Nesbitt - IANAL but I do consult with them when I have questions like this). Even in Texas there's a long list of things that a company has to do in order to enforce a non-compete clause including but not limited to showing that your actions caused them real harm. I prefer to follow both the letter and the spirit of those agreements, but its always good to know how much is actually enforceable.

It is? Odd that someone as insignificant as me has it in his contract that any kind of "internal knowledge" he gains (and, bluntly, if an exploit isn't considered internal knowledge in a TLA, what is?) must not be used outside of very well defined areas of work for at the very least 2 years, while someone as the NSA head honcho gets a free pass to use such knowledge as he pleases.

It's hard to imagine that the banking industry is seen as competing with the NSA (in the sense that a non-compete would be enforceable)... Or is it?

Well, both are propped up by the taxpayer and it's questionable whether they work in his interest, to the point where people are actually hitting the streets to protest against them, so, well, in a way...

Erh... that would be akin to a occupational ban. I mean, as soon as you even as much as reach towards anything that could remotely be considered "security" you are essentially in competition with the octopus the NSA is...

But the NSA (apparently) isn't in the data securing business. They're in the learning secrets business. A non-compete clause would prevent him from working for the CIA or the Defense Intelligence Agency or someone else in the learning secrets business. If a court says that securing the data of people engaged in lawful behavior is competing with the NSA, then they're saying that knowing everything about the doings of the people engaged in lawful behavior is properly within the NSA's purview. The NSA migh

Perhaps they could provide an example of where they successfully secured some data ]~_^} But, more seriously, securing commercial data still isn't in competition with the NSA, as the NSA's data securing activities have zero presence in that market. I'm sure he couldn't use copies of software developed at his old job. But, making sure that security software developed at his new job is sufficiently robust, and knowing under what circumstances security should be stronger, and under what other circumstances

From where I sit, it looks like there's too much stuff classified as secret and too little compartmentalization of the stuff that really ought to be kept secret. But, when I was making the example request, partly it was a complaint about them failing to declassify, not because the actual information still needs to be secret, but because public scrutiny might affect the agency budget or the career of someone still employed there - or just from not wanting to make the effort to determine whether they're done

Unless being NSA directory is a surprisingly cushy position, leaving ample time for personal development and cultivation, I'd be skeptical in this case. Aside from his 1978 BU MBA, there is approximately fuck all on his CV that doesn't involve either armored vehicles or classified (and not always licit) signals intelligence and surveillance work for Uncle Sam. He doesn't even appear to be one of the revolving-door guys who hops back and forth between a stint with the feds, a stint with Spydyne LLC, back to

Yeah, the jumping back and forth doesn't happen when you wear the uniform, or did you miss the General part. Not defending General Alexander here just commenting on the lack of moving from government to industry and back.

I don't have a problem with not being a revolving door hack (indeed, it's generally better than the alternative). My point was merely that Alexander's CV has very little on it that isn't either irrelevant to his potential customers (at least I hope our financial sector isn't looking for armored warfare expertise...) or closely connected to a series of fed jobs that just keep getting more heavily classified as time goes on. I am notably unsympathetic to the "zOMG! Noncompete! your employer owns every idea an

My point was merely that Alexander's CV has very little on it that isn't either irrelevant to his potential customers (at least I hope our financial sector isn't looking for armored warfare expertise...) or closely connected to a series of fed jobs that just keep getting more heavily classified as time goes on.

Hmm let's see if you can pick out the spot where he would be versed only in armored warfare expertise or looking at secret documents all day (this is his CV for the past 15 years):Director of the National Security Agency (DIRNSA)Chief of the Central Security Service (CHCSS)Commander of the United States Cyber CommandCommanding General of the U.S. Army Intelligence and Security CommandDirector of Intelligence (J-2), United States Central CommandDeputy Director for Intelligence (J-2) for the Joint Chiefs of StaffHead of the Army Intelligence and Security Command

Do you think it's possible, after working (ostensibly successfully) as the head of so many organizations, that he knows nothing about management, leadership, best practices, and nonclassified security methodologies (of which there are many)? Do you honestly think he spent 10 years, as the head of these orgs, pushing top secret papers across his desk instead of having his underlings take care of all of that? Come on. Furthermore, I think a lot of commentators on this thread have a complete misunderstanding of what a high-level consulting firm does. Hint, it has nothing to do with configuring firewalls and antivirus apps. Big multinationals will gladly pay $1M for advice as simple as "choose off the shelf security package A, instead of B" as long as it comes from someone whose credentials are beyond repute. He doesn't have to say anything about top secret operations, techniques, or sources, he just has to put his name behind something.

He didn't. That was his CEO and you bet that he's going to get pissed come review time.

There's a reason most US churches teaches you to fear the lord. They have reason to fear him. If you made a religion of peace, harmony and compassion and some people take it and turn it in a religion of hatred, control and bigotry, would you be pissed?

If profit is personal advantage, and Snowden is advancing an agenda based on ideals, then yes, he is advantaged and therefore profited. Not all people are motivated by money; for some, power, fame, or influence suffice. I'd say he did it for wholly selfish reasons: "He knew better than the State"

No, it merely means that for selling it you get to go on a trial where in the end you get to make some kind of deal with the state where you can keep half the profit and the other half disappears in some war purses for deals that you don't want to explain why you need funding for them.

If you hand it out for free you get to Gitmo. There's no profit in making a deal with you, you have no money you could offer.

In case it wasn't obvious mine was intended to be funny to show the disconnect in lines of thought, that somehow doing something illegal for personal gain is less serious than doing it because you think it's the right thing to do.

This smacks of the same crap Id is trying to pull off on Carmack (http://popcultureblog.dallasnews.com/2014/05/zenimax-and-id-software-have-filed-a-lawsuit-against-oculus-vr-and-dallas-based-john-carmack-is-in-the-middle.html/). Apparently employers think they own any knowledge an employee gains while on the job. Sure, secrets are secrets. But is *everything* they learned on the job is a secret?

1. When you've worked at a very high level the NSA;2. When you are selling security information/services; and3. When your asking price is far higher than competitive services by people who've worked at it far longer than you outside of the NSA,

What do you imagine lies in between publicly known and classified that justifies the price premium? Was he developing security procedures on his own time or at his second job?

Sure, secrets are secrets. But is *everything* they learned on the job is a secret?

Ask the CIA -- they would probably stamp TOP SECRET on his forehead and mark him as classified if they were allowed. NSA, well, they're a part of the army AND part of national security. You're not dealing with standard trade secrets here, you're dealing with national secrets. Usually they err on the side of caution with those, as we've seen with all the denied/delayed/redacted FOIA requests lately.

He seems like a bright guy and knows his way around political circles, but starting a company that appears t

Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it. And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?

Exactly. He doesn't need to do squat. He's implicitly selling the idea that he will be using all those secrets to help out his clients, but it's a flim-flam; he doesn't actually have to do it.

I wouldn't call it film-flam nor implicitly selling the idea that he will be using all those secrets. He brings an executive understanding of the types of threats and how to explain them in a way senior leaders can understand and offer a team that can help address the threats a company may face. His company can address them without ever revealing any secrets he learned during his stint at NSA.

And he was the head of the NSA, an administrator...what's the chance he knows much in the way of recent technical details anyway?

His technical skills are largely irrelevant, that's his staff's role. Being head of NSA, on the other hand, gives hi

Completely agreed. He can also use his network of (public) contacts to make introductions between threatened enterprises and the right people to fix them - or introducing peers who have had similar issues but aren't happy being completely public about that fact yet both trust him to use that knowledge for their benefit. Getting your security vendor wrong could be a very expensive mistake.

It is ok if a government official sells state secrets, or gives preferential treatment to industry for money. This is the reason why they get high power government jobs n the first place. Look at the FCC, for instance. Their chairman is directly owned by industry. It is only plebs like Snowden that get prosecuted.

Hmmm. The Director of the NSA might encounter all sorts of information about the Big Money Boys that they would rather not be known generally. Would that information necessarily be classified? But whether or not it is, being paid NOT to disclose it would surely not be a violation of security. Wall Streeters might regard a million a month mighty cheap insurance...

This venture, it seems to me, is just a way to legitimize the payback for services he has already rendered while he was at the NSA. His 'clients' already know who they are, and they will expect to get nothing more concrete for their million per month than his continuing influence (or perhaps silence) in certain matters.

only the exact demarcation of its extent. If I know the NSA has a secret underground mole robot tapping in to buried data lines, I'm not giving away a national secret if I tell my client, "Y'know, lets run our data lines on phone poles," so long as I don't tell them exactly why I like that idea.

So the Congress believes there's no art or science to computer security besides classified information? This is like saying that any soldier who ever went on a classified mission can never market to an employer that he has military experience. This is ludicrous.

Where did he conduct perjury? I don't think he did. He LIED plenty but that is not a crime. Contempt of Congress etc? Well, something they seem to love to do is to NOT swear in these officials "out of respect" so while you may testify to congress under oath and they may require you to do so, these people are allowed to skip the disrespectful procedure. (Besides they feel there are legitimate public lies these officials have to make from time to time... which they could simply decline or put it off for th